The single biggest issue most companies have with security today is what it costs to be secure.

Every where you go there has been an explosion of security devices that all purport to deal with some specific issue or another. That's all fine for as far as it goes, but then you have to hire all the people required to manage those devices. Of course, those people are in short supply so they tend to command a premium salary. And if you can hire them, you're always fending off competitive offers. That means the turnover rate among security professionals within IT is pretty high. And the cost of training people is prohibitive, so once you pay to train them it's hard to keep them.

In recent years, IT organizations have been trying to mitigate the cost of security by adopting new solutions that are based on a managed service or are delivered as a service. That managed services model essentially offloads the cost of the security professionals on to a third-part supplier than ameliorate that cost across multiple customers. The software-as-a-service model works well around a specific product from a single vendor, but we all know that a robust security solution requires multiple products from multiple vendors.

This is why it is with great interest that IT organizations are now watching the emergence of security in the cloud services. One of the first offerings using this model is a new provider called Zscaler, which has been launched by Jay Chaudhry.

Chaudhry was one of the driving forces behind companies such as CipherTrust, AirDefense, CoreHarbor, Air2Web and SecureIT. That means that in many ways he's personally responsible for a lot of the security sprawl that is today choking a lot of our IT infrastructure.

With the launch of Zscaler, Chaudry and his team are now talking about moving the entire security infrastructure into the cloud. Thanks to the skills of a number of NetScaler engineers, Chaudry says his new company can deliver all necessary security functions without significantly compromising any of the performance of the applications running locally at the customer's site. Essentially, Zscaler is taking advantage of high bandwidth and a dedicated processing engine to deliver a worldwide security service that is similar in concept to the architecture that companies such as Akamai use to deliver content.

On the face of it, you might think that security professionals would be horrified by the whole security in the cloud concept. But one of the first customers of the service is John Penrod, chief information security officer for The Weather Channel.

In Pemrod's mind, the return on investment model of Zscaler pretty much makes it a "no- brainer" compared to first buying and installing a raft of security products and then hiring people to manage them. The added latency of the service is marginal at best and the transparency of service should allow him to develop all the reporting capabilities he'll ever need.

The truth of the matter is that the return on investment in security products is like trying to prove a negative. Unless something goes dramatically wrong, it's hard to prove that the absence of any specific security product led to a catastrophic breach. And if the breach never happens, it's hard to prove that the presence of the security products prevented the breach from happening.

That doesn't mean we don't need security products. It just means we need a more rationale way of delivering the capability. Zscaler won't be the only company to deliver security via a cloud computing model, but one thing is for sure. We're going to see and hear a lot more about this model in the months ahead, especially as soft economic times means everybody looking for a more economically efficient way to deliver technology.